Mercredi, 7 juin 2017

Third part of my DNS setup notes: changing the
DNSSEC
config from NSEC to NSEC3. This has be on my TODO list for over a year now,
and despite the tutorial at the ISC Knowledge
Base,
the ride was a bit bumpy.

Generating new keys

The previous keys were using the default RSASHA1 algorithm (number 5), and we
need new keys using RSASHA256 (number 8).

Generating those keys was easy. On a machine with enough available entropy in
/dev/random (such as a Raspberry Pi with its hardware random number generator)
run:

Transfer the keys to the server where Bind is running, into the directory
where Bind is looking for them.

Loading the keys

The documentation says to load the keys with

rndc loadkeys example.net

but that ended with a cryptic message in the logs:

NSEC only DNSKEYs and NSEC3 chains not allowed

Apparently, the algorithm of the old keys does not allow to use NSEC3 (which I
knew) so Bind refuses to load these keys (which I didn't anticipate). I
eventually resorted to stopping Bind completely, moving away the old keys,
deleting the *.signed and *.signed.jnl files in /var/cache/bind/ and
restarting Bind. The new keys got then automatically loaded, and the zone was
re-signed using NSEC.

NSEC3 at last

I could then resume with the tutorial.

First, generate a random salt:

openssl rand -hex 4

(let's assume the result of that operation was “d8add234”).
Then tell Bind the parameters it needs to create NSEC3 records:

rndc signing -nsec3param 1 0 10 d8add234 example.com.

Then check that the zone is signed with

rndc signing -list example.com

Linking the zones

Since the keys have changed, you need to update your domain's DS record in
your parent domains DNS, using the tool provided to you by your registrar.
This step is the same as in the “Linking the zones” of the previous
part of
this tutorial.